"Personal Data" means any data pertaining to a person that enables the identification of that person, whether directly or indirectly, but specifically excluding data of the deceased.

"Personal Data Administrator" means a person or corporate entity who has a decisive power on compiling, using or disclosing Personal Data (the "Data Administrator").

"Personal Data Processor" means a person or corporate entity who carries out the collecting, applying, or disclosing of personal data according to the instruction or on behalf of the Personal Data Administrator. Such Personal Data Processor shall not be the same person as the Personal Data Administrator (the "Data Processor").

The collection of personal information may be done as necessary under the lawful means and purposes. A Data Administrator may collect, process, use or disclose Personal Data of a Person only when prior affirmative consent has been given by the data subject. The consent can be given in writing or through electronic means.

The Data Administrator shall only obtain the data directly from the data subject.

The Data Administrator must inform the data subject of the purpose of collecting the data, what data is to be collected, and to whom the data will be disclosed.

Additionally, the request for consent must be clearly separated from other messages. The message must be delivered in a format which is easily accessible and understandable, using language that is easy to understand. The message should not be misleading or cause data subjects to misunderstand the purpose of collecting the data. The Commission may require the Data Administrator to request consent from the data subject in accordance with any announcement that the board may make from time to time.

The Thailand PDPA does not provide a specific definition of "sensitive data." However, according to the PDPA, it is prohibited to collect information related to ethnicity, political opinions, religious beliefs, sexual orientation, criminal history, health information, disability, trade union information, genetic data, biological data or any other information that affects the data subject in the same way, unless there are specific laws which stipulate otherwise, e.g. for the protection of health or physical condition of the data subject.

The PDPA does allow, in some limited circumstances, for an exemption to the requirement to obtain consent from the data subject where the data is collected from another Person who is not the data subject.

In obtaining consent from the owner of the Personal Data, the Data Administrator must take into account the absolute independence of the owner of the personal information in giving the consent. In entering into a contract, including to provide any services, there must not be any condition for consent to be granted to collect, use or disclose personal information that is not necessary or relevant to entering into such contract or services.

Parental consent for minors

Parental consent is required in cases where minors may not provide the consent themselves. Where the data subject is under 10 years old, parental consent is required from the parent who is authorized to act on behalf of the minor, as stipulated in law.

In cases where the data subject lacks the relevant capacity, the consent must be obtained by the guardian/custodian of such data subject.

Rights of the data owners

Data owners are entitled to request access to personal data pertaining to them except in cases where, among others, the request is not under the provisions of applicable laws or court orders.

Data owners are also entitled to request that their personal data be destroyed, temporarily suspended, or maintained anonymized.

Data protection

Data administrators are required to implement proper and adequate procedures to keep personal data secure. The committee may, from time to time, issue guidelines that Data Administrators can use as a reference for their data protection practices. The Committee may also implement specific requirements on the qualification of Data Administrators and Data Processors.

The PDPA prohibits the transfer of personal data to third countries where data protection regulations are substantially deficient, except when the transfer is carried out according to one of the following scenarios:

where the transfer is processed according to the laws;

where the transfer is carried out after obtaining the specific consent from the data owner, who has been made aware of the third country’s insufficient data protection laws;

where the transfer is carried out according to the obligations of a contract to which the data owner is a party that has an obligation to perform;

where the transfer of data to a third country is conducted in order to prevent or suspend harm to the life, body or health of the owner of the personal information or other persons, while the data owner lacks the capacity to give consent; and

when it is necessary, for the purpose of carrying out the transfer for significant public benefit.

The owner of the personal information may file a complaint to the Committee in in the event that the Data Administrators or DataProcessors, including their employees, violate or fail to comply with the PDPA or announcement issued under the Act. The Committee shall assign a proficient sub-committee to investigate and verify each of the issues submitted to the Committee's office.

Where the sub-committee considers or verifies that complaints or actions may be amenable and the parties wish to mediate such issues, the sub-committee will conduct mediation. If the complaint or action cannot be reconciled or mediated or, if the mediation occurs but is not successful, the sub-committee has the right to issue one of the following orders:

to instruct the Data Administrator or Data Processor to act or correct their actions within the specified period; or

to instruct the Data Administrator or Data Processor to refrain from taking any actions that cause damage to the data owners as well as to act in any appropriate manner to prevent any further damage to the data owner, within a certain period of time.

In the event that the Data Administrator or Data Processor refuses to follow the administrative order, the authority may apply enforcement provisions, which may include seizing of properties or freezing of business activities under the law related to administrative duties.